A new service aims to be the Google search of underground Web sites, connecting buyers to a vast sea of shops that offer an array of dodgy goods and services, from stolen credit card numbers to identity information and anonymity tools.

A glut of data breaches and stolen card numbers has spawned dozens of stores that sell the information. The trouble is that each shop requires users to create accounts and sign in before they can search for cards.

Enter MegaSearch.cc, which lets potential buyers discover which fraud shops hold the cards they’re looking for without having to first create accounts at each store. This free search engine aggregates data about compromised payment cards, and points searchers to various fraud shops selling them.

According to its creator, the search engine does not store the compromised card numbers or any information about the card holders. Instead, it works with card shop owners to index the first six digits of all compromised account numbers that are for sale.  These six digits, also known the “Bank Identification Number” — or BIN — identify which bank issued the cards. Searching by BIN, MegaSearch users are given links to different fraud shops that are currently selling cards issued by the corresponding bank.

I first read about this offering in a blog post by RSA Fraud Action Research Labs. It didn’t take much time poking around a few hacker boards to find the brains behind MegaSearch pitching his idea to the owners of different fraud shops. He agreed to discuss his offering with me via instant message, using the search service as his screen name.

“I’m standing on a big startup that is going to be [referred to as] the ‘underground Google,’” MegaSearch told. “Many users spend a lot of time looking [through] shops, and I thought why not make that convenient?”

The service currently indexes compromised BINs from five different card shops, although he said several more shops are close to completing their integration with MegaSearch. He acknowledged garnering a small advertising fee for each relationship, although he repeatedly declined to discuss the particulars of those arrangements. But he said both sides benefit: stolen card data grows less reliable with age, and fraud shops that are indexed by MegaSearch stand a better chance of clearing their inventory faster, the hacker argues.

MegaSearch said that when his site first launched at the end of 2011 and began indexing the five card shops he’s now tracking, those shops had some 360,000 compromised accounts for sale, collectively. Since then, those shops have moved more than 200,000 cards. The search engine currently has indexed 352,000 stolen account numbers that are for sale right now in the underground.

According to BIN search stats published on the site, Citibank cards are the most sought-after, followed by cards issued by FIA Card Services, Capital One and Chase.

In the coming weeks, he said, the site will include new features that index other types of criminal wares, including Social Security numbers and proxies — addresses of hacked PCs that paying clients can use as a relay to anonymize their online communications.

“I’m about to add more services to that site that would help newbie underground, including proxies, stolen identity information, etc.,” MegaSearch told me. “I’m also going to add a survey [to rate] the best shop.”

2011 has been called the Year of the Data Breach. If services like MegaSearch are indicative of a trend, 2012 may well become known as the year the criminal underground started getting a clue about how to better index and use all of its stolen data.

Secretary of State Hillary Rodham Clinton with then-Nigerian Foreign Minister Henry Odein Ajumogobia in Washington, D.C. in August 2010. Credit: U.S. State Department

You’ve got to hand it to Nigerian email fraudsters — they are nothing if not persistent.

In their latest campaign to fool extraordinarily gullible people that they are due an inheritance, and that a bank in the West African nation is ready to hand over enormous sums of money, no questions asked, Nigerian scammers have begun sending emails that claim to be from U.S. Secretary of State Hillary Clinton, the security firm AppRiver reported.

As a U.S.-government official, Mrs. Clinton, the emails say, endorses the Central Bank of Nigeria in its effort to deposit $10.5 million into the recipient’s bank account. To receive the money, the email, which is signed by Clinton, instructs people to contact the Nigerian bank’s ATM-Card Department, which will give further information as to how to claim an ATM card that entitles its holder to withdraw $10,000 per day.

The text of the email is not visible at first, but rather it’s included as an attached .ZIP file. This is a tactic Nigerian scammers have recently been deploying as a way of subverting anti-spam software designed to detect these types of scams, which are very common, and always promise some sort of multi-million-dollar entitlement from a Nigerian bank or government official.

As a steadfast rule, immediately delete any unsolicited, suspicious-looking email that promises a bundle of money from a Nigerian bank. In fact, anytime you receive email offer promising money or gifts, ignore it. If someone approached you out of the blue on the street and promised you $10.5 million, you’d naturally think that person was suspicious. The online street should be no different.

Adobe and Microsoft today each issued software fixes to tackle dangerous security flaws in their products. If you use Acrobat, Adobe Reader or Windows, it’s time to patch.

Microsoft released seven security bulletins addressing at least eight vulnerabilities in Windows. The lone “critical” Microsoft patch addresses a pair of bugs in Windows Media Player. Microsoft warns that attackers could exploit these flaws to break into Windows systems without any help from users; the vulnerability could be triggered just by browsing to a site that hosts specially crafted video content.

The other Windows patches earned a less severe “important” rating from Microsoft, although not everyone agrees with that assessment. Symantec’s Joshua Talbot said another bug fixed today — a glitch in the way Windows handles Microsoft Office files — is potentially more dangerous because it appears to be easier to exploit than the Media Player flaw.

“The vulnerability is due to an oversight that allows an attacker to run malware as soon as a user opens a Word or PowerPoint file,” Talbot said. “Email attachments will probably be the most common attack method in which this vulnerability is exploited. As usual, we strongly recommend users only open email attachments from people they know.”

More information on the other patches Microsoft released today is available here.

On Dec. 29, Microsoft issued an out-of-band update to address a flaw in ASP.Net that could allow an attacker to force a user to visit a malicious web site. The vulnerability affects all versions of the .NET Framework on Windows XP and later versions of Windows. If you use Windows and see a .NET Framework patch awaiting your approval in Windows Update this month, don’t neglect it.

In a separate release, Adobe pushed out security updates for Adobe Reader and Acrobat. At the forefront of the Adobe patch batch is a fix for a zero-day flaw in Acrobat and Reader that Adobe first warned about in early December. Shortly after that warning, Adobe issued a fix for the flaw in Reader 9.x and Acrobat 9.x, but said it would wait until today (its scheduled, quarterly update) to address it in the new Reader X and Acrobat X versions of the software. Adobe recommends that users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). Updates are available for Windows and Mac versions of these titles; see the Adobe advisory for the patch download links.

Security researchers have released new tools that can bypass the encryption used to protect many types of wireless routers. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use.

At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses. According to the Wi-Fi Alliance, an industry group, WPS is “designed to ease the task of setting up and configuring security on wireless local area networks. WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks add new devices and enable security.”

Setting up a home wireless network to use encryption traditionally involved navigating a confusing array of Web-based menus, selecting from a jumble of geeky-sounding and ill-explained encryption options (WEP, WPA, WPA2, TKIP, AES), and then repeating many of those procedures on the various wireless devices the user wants to connect to the network. To make matters worse, many wireless routers come with little or no instructions on how to set up encryption.

Enter WPS. Wireless routers with WPS built-in ship with a personal identification number (PIN – usually 8 digits) printed on them. Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN in a network setup wizard designed to interact with the router.

But according to new research, routers with WPS are vulnerable to a very basic hacking technique: The brute-force attack. Put simply, an attacker can try thousands of combinations in rapid succession until he happens on the correct 8-digit PIN that allows authentication to the device.

One way to protect against such automated attacks is to disallow authentication for a specified amount of time after a certain number of unsuccessful attempts. Stefan Viehböck, a freelance information security researcher, said some wireless access point makers implemented such an approach. The problem, he said, is that most of the vendors did so in ways that make brute-force attacks slower, but still feasible.

Earlier today, Viehböck released on his site a free tool that he said can be used to duplicate his research and findings, detailed in this paper (PDF). He said his tool took about four hours to test all possible combinations on TP-Link and D-Link routers he examined, and less than 24 hours against a Netgear router.

“The Wi-Fi alliance members were clearly opting for usability” over security, Viehböck said in a instant message conversation with KrebsOnSecurity.com. “It is very unlikely that nobody noticed that the way they designed the protocol makes a brute force attack easier than it ever should.”

Separately, Craig Heffner, a researcher with Columbia, Md. based security consultancy Tactical Network Solutions, has released an open-source tool called “Reaver” to attack the same vulnerability. Heffner notes that once an attacker has successfully guessed the WPS PIN, he can instantly recover the router’s encryption passphrase, even if the owner changes the passphrase. In addition, he warns, “access points with multiple radios (2.4/5GHz) can be configured with multiple WPA keys. Since the radios use the same WPS pin, knowledge of the pin allows an attacker to recover all WPA keys.”

The important thing to keep in mind with this flaw is that devices with WPS built-in are vulnerable whether or not users take advantage of the WPS capability in setting up their router. Also, routers that include WPS functionality are likely to have this feature turned on by default.

First the good news: Blocking this attack may be as simple as disabling the WPS feature on your router. The bad news is that it may not be possible in all cases to do this.

In an advisory released on Dec. 27, the U.S. Computer Emergency Readiness Team (US-CERT) warned that “an attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.” The advisory notes that products made by a number of vendors are impacted, including Belkin, Buffalo, D-Link, Linksys, Net gear, TP-Link and ZyXel.

Microsoft Windows 7 harbors a serious vulnerability that puts people browsing the Web on Safari in danger of having their computers compromised.

In an advisory, the security firm Secunia warned that the “highly critical” memory corruption flaw could allow a remote attacker to gain access to a target’s Windows 7 system and execute malicious code with kernel-level privileges.

The port of entry for the hack is Apple’s popular Web browser, Safari; by crafting a rigged iFrame — a line of code inserted into a Web page that loads data from another site — an attacker could launch the takeover. There is currently “no effective solution” for the flaw, Secunia wrote.

To keep yourself protected against this type of mass-injection attack, as it is called, make sure you run strong, up-to-date anti-virus software on your computer, and supplement it with a threat-detecting and eliminating anti-malware program.

It’s horrifying enough when a computer crook breaks into your PC, steals your passwords and empties your bank account. Now, a new malware variant uses a devilish scheme to trick people into voluntarily transferring money from their accounts to a cyber thief’s account.

The German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back.

When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser; it appears that he has recently received a large transfer into his account. The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form — with the account and routing numbers for a bank account the attacker controls.

The BKA’s advisory isn’t specific about the responsible strain of malware, but it is becoming increasingly common for banking Trojans to incorporate “Web injects,” custom designed plug-ins that manipulate what victims see in their Web browsers.

This attack is an insidious extension of the tactic that was pioneered by the URL Zone Trojan, which specializes in manipulating the balance that victims see when they log into their (cleaned-out) bank accounts.

If you log in to your bank account and see something odd, such as a “down for maintenance” page or an alert about a wayward transfer, your best option is to pick up the phone and call your bank. Make sure you are using the bank’s real phone number: Malware like the ZeuS Trojan has been known to present newly-fleeced victims with messages about problems with the bank’s Web site, along with a bogus customer support phone number.

The latest version of the Ramnit worm steals Facebook credentials and spams friends on the social-networking site to spread itself instead of relying on email, researchers said.

A new variant of the Ramnit worm has managed to steal log-in credentials for several thousand Facebook accounts, according to researchers at Seculert.

The latest Ramnit variant stole more than 45,000 Facebook passwords and tried compromising other accounts belonging to the victims, such as virtual private networks, emails and other Web services, Seculert researchers wrote Jan. 4. By examining the command-and-control server associated with Ramnit, Seculert researchers were able to detect the stolen credentials, most of which were from the United Kingdom and France.

Ramnit was first detected more than 18 months ago and targeted online banking and FTP credentials by infecting HTML files, Office documents and Windows executables, according to a profile published in Microsoft Security Intelligence Report Volume 11. Ramnit variants often abuse the Autorun feature and incorporate social-engineering tricks to con users into helping the malware spread, according to Microsoft. It can steal log-in credentials and browser cookies, as well as open a backdoor to the infected machine.

“Recently, our research lab identified a completely new ‘financial’ Ramnit variant aimed at stealing Facebook log-in credentials,” Seculert wrote.

Trusteer researchers analyzed a Ramnit variant in June and found that it had “morphed” into malware capable of financial fraud. The financial worm exhibited similarities with the Zeus Trojan and was able to use the large infected base of machines to spam users with malicious links, according to Trusteer. The variant found by Seculert appears to be a more recent version targeting social-networking sites, instead.

Attackers are also using the stolen information collected by the newest Ramnit worm to log in to the victims’ accounts and send malicious links to all their friends to help spread the malware, the researchers found.

It appears that cyber-criminals are now experimenting with replacing the old-school email worms with more up-to-date social-network worms, Seculert researchers said. Another worm was detected in November by researchers at Denmark’s CSIS which used a similar method to spread on Facebook.

The Facebook worm stole user credentials and then spammed out malicious links to the victims’ friends. The links led to a supposed photo Website which downloaded a variety of malware on users’ machines, including a variant of the Zeus Trojan.

Malware writers need to communicate with their victims to infect them and further propagate their attacks, Michael Sutton, vice president of security research at Zscaler ThreatLabZ, told eWEEK. Internet users are shifting away from email to communicate on social networks, and malware writers are making the same shift to adopt the victims’ “preferred means of communication,” Sutton said.

While users recognize that email can be easily spoofed and will often ignore suspicious messages, they are less likely to ignore messages sent over Facebook, according to Sutton. “Victims are simply not aware that the ‘trusted’ Facebook account from which the communication was received may itself have already been compromised,” he said.

After stealing the credentials, attackers tested the information to see whether users had reused their passwords on other sites and applications, such as corporate email and Gmail, according to Seculert.

A worm designed to steal from financial institutions has evolved into a social-network threat, John Weinschenk, CEO at Cenzic, told eWEEK. “Bank account numbers and Facebook log-in credentials seem very different, but to hackers, they are equally as lucrative,” Weinschenk said. 

Users need to be vigilant about changing passwords often, avoid clicking on unknown links and alert their friends to a potential malicious link they might have posted, Weinschenk recommended.

Previous Ramnit variants infected more than 800,000 machines in the last five months of 2011, estimated Seculert researchers. A Symantec report from July estimated that Ramnit worm variants accounted for 17.3 percent of all new malicious software infections.

This is what happens when you install too many add-on browser toolbars. Credit: MDornSeif/Creative Commons

Do you use AOL Instant Messenger at work? How about Dropbox? Do you have “Plants vs. Zombies” installed as an app in your Google Chrome browser? Or a third-party browser search bar?

Odds are that your company’s IT department didn’t specifically authorize the installation of such applications and plug-ins. If that’s the case, then they’re termed “grayware,” and believe it or not,

Grayware applications aren’t actually viruses or other forms of malware. In most cases, they’re common pieces of software that enable real-time communication. Other examples of grayware include messaging apps such as Google Talk or eBuddy, dozens of Twitter add-ons and utilities that track weather or stocks. All are “passive” applications that are fed and updated from a cloud network.

Just under the radar, but talking to the whole world

The passive nature of grayware applications lets them often go unnoticed in corporate networks, which partly explains their widespread use by office workers. Recent surveys show that grayware can constitute a substantial percentage of a workplace’s online software.

“Graywares now come in many shapes and sizes,” said Michael Xie, chief technology officer and vice president of engineering at Sunnyvale, Calif.-based firewall manufacturer Fortinet. “It is really hard to differentiate them from normal applications, which is the reason why their proliferation rate [today] is higher than ever.”

For instance, the thousands of add-ons available for Mozilla Firefox and Chrome act like normal applications. But they actually have links established with cloud servers collecting user information and activity trends. If any of those cloud servers are compromised or infected, malware gets a backdoor right into countless corporate networks.

In such situations, conventional anti-virus software and firewalls are mostly unable to minimize vulnerability. Cutting off grayware applications’ Internet access might result in the termination and interruption of other, authorized, Internet-facing applications.

Security applications can easily tell the difference between “white” (safe) and “black” (malicious) software, but they’re still not able to categorize the “grays.” The ambiguity might result in deadly breaches for corporate networks in the coming future.

“In the beginning, we were concerned only about types of viruses, and now we have several different breeds of malicious programs, with each having compound identities,” Xie said. “The thing is that nobody is concerned about their names and classifications anymore. People just want to get rid of them.”

Normally, grayware is not as invasive as malicious Trojans and viruses — it behaves in an entirely different manner. Often, the worst side effect of such software is the gradual installation of small activity-sniffers and spyware programs.

Much grayware comes in the form of add-on browser toolbars that access online third-party services. Their installation requires no approval from network administrators, nor sometimes even the end user.

You might have noticed it yourself — while installing a software update or downloading a package, you get an auto-checked installation dialogue box which, by default, assumes your approval to install a browser toolbars and other “addware” alongside the desired software.

But such add-on toolbars often change the home addresses of Web browsers and redirect invalid browsing requests — typos, basically — to optimized Web pages full of spam and cheap ads. In some cases, those Web pages infect visiting computers with malware.

Hard to avoid, hard to get rid of

Grayware authors often design their applications without proper uninstall features, making them difficult to remove. The applications also capture and analyze user activity for commercial reasons, which can be seen as a breach of privacy and network security.

Grayware often opens parallel communication channels from the user’s computer, channels that share sensitive information about the user and his company’s network even while he stays on the primary channel.

And grayware applications gradually increase their runtime system-resource consumption, which drastically decreases the efficiency of end-user computers. If even 40 percent of the machines on a corporate network have heavy grayware activity, IT departments may have to do a complete overhaul and re-design of security parameters on workstations.

“Most of the times, these [grayware applications] are unknowingly downloaded by the users, and once they are installed, the system just treats them as a mere unwanted application establishing outside connections,” said Erika Mendoza, threat response engineer at Trend Micro, Inc. “They are made out to be sticky and irritating, but in reality are as dangerous as malwares and spywares.”

Seeing in black and white

There’s an old saying among IT professionals that “the only secure computer is one that’s unplugged.” The prevalence of grayware not only confirms that maxim, but also shows how helpless information security can become with rapid technological advancement.

Fortunately, there are ways to avoid the risks of grayware. Be extra-attentive when updating software. Check with your corporate IT department before installing messaging or entertainment applications. And always remember that if someone’s giving away software for free, they’ll usually want something in return.

New Yorkers placed flowers, notes and apples outside the Apple store at Fifth Avenue to pay respect to Steve Jobs. Now scammers are trying to profit from his passing.

It’s been just over two weeks since Apple’s Steve Jobs died, but online scammers have been working hard to keep his memory alive — so they can exploit it for cash.

A spam email campaign has been hitting inboxes promoting the “Steve Jobs Charitable Foundation,” an organization that claims to support young, talented computer programmers and Web coders.

In poorly worded English, the message attempts to tap into people’s sympathies surrounding Steve Jobs’ passing by asking them to give “even a small amount” of money, which will then be used to help these young, gifted kids who “do not have opportunity to study and bring their ideas to life.” The email’s title — whose spelling alone should be a huge red flag — is “Raise money for Steve Jobs Charity Fond!”

Security researchers followed the link included in the scam and discovered that it redirects those who fall for the bait to an online casino payment site.

This fake auction is just one of several scams online crooks have served up since the death of the iconic Apple CEO. Similar ploys promised contests to win MacBook Pros in Jobs’ memory, or free iPads; another phony Web page promised exclusive video footage from Jobs’ funeral.

Anytime there’s an event that draws international attention, it’s important to exercise caution when searching for relevant information on the Internet. It’s easy for cybercriminals and scammers to set up fraudulent websites or even pictures that can compromise your computer with a single click. If you are compelled to give money to a charitable organization, contact that group on the phone, or type in the organization’s URL into the browser bar; don’t navigate to a charity site from an email or social networking link.

With the holidays around the corner, cybercriminals have been busy designing scams to fool people who are looking for bargains online. The latest is a Face book offer for two free tickets on Southwest Airlines, just for clicking on a link. In reality, users have to fill out multiple surveys, and receive no tickets in return. Just remember, if something sounds too good to be true it probably is.

The latest phony offer leads users through a maze of multiple surveys, resulting in no tickets for the users’ efforts. Southwest alerted customers through social media, warning them of the fraud.

Another scam hit Face book, this time offering people two free tickets from Southwest Airlines for clicking on a link.

The latest phony offer leads users through a maze of multiple surveys, resulting in no tickets for the users’ efforts. Southwest alerted customers through social media Monday, warning them of the fraud.

“Hey folks! There is a scam being passed around on Face book about a 2 free ticket offer from Southwest. This is not sponsored by us, so please don’t click or share the links!” Southwest posted on their Face book page.

“We are aware of the scam for two free tickets being spread across Face book. This offer is in no way affiliated with Southwest Airlines and we are working with Face book to get it removed,” Southwest spokesperson Christi McNeill said in a statement.

Scams on the internet are nothing new, especially when it pertains to free tickets to an airline. USC Junior Jonathon Wilson said there is a responsibility on users of social media to avoid the fraud.

“People should know better not to click on them in the first place,” Wilson said. “There’s such thing as ‘too good to be true.’”

Not everyone used the same judgment when seeing the link for the deal. Freshman Andrew Bushong was one of the Face book users who fell victim to the Southwest scam.

“It made me basically jump through a hundred hoops to try and get something I was never going to get,” Bushong said.

Southwest added some tips to what to look for to avoid future scams.

“For promotions, we rarely deviate from linking to our own website, southwest.com, and our blog, blogsouthwest.com,” Southwest Airlines representative Brooks Thomas said. “If we’re linking to a third party, the message will always come directly from us.”

According to Softpedia.com, a recent bust by the FBI showed a cyber crook gang took in $14 million off a similar scam.